Giters

Maldev-Academy / GhostlyHollowingViaTamperedSyscalls

Implementing the ghostly hollowing PE injection technique using tampered syscalls.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Ghostly Hollowing Via Tampered Syscalls

Quick Links

Maldev Academy Home

Maldev Academy Syllabus

Maldev Academy Pricing

Summary

This implementation utilizes two techniques covered in the recent updates to the Maldev Academy course:

Tampered Syscalls

  • All syscalls invoked in the implementation are called through the TAMPER_SYSCALL macro. This macro calls the StoreTamperedSyscallParms function to:

    • Determine the address of the syscall instruction within the NtQuerySecurityObject syscall stub (i.e. decoy syscall), and set a hardware breakpoint at this address.
    • Fetch the syscall number of the real invoked syscalls using the Sorting by System Call Address method introduced in SysWhispers2.
    • Save the invoked syscall's first four arguments.

  • When calling the TAMPER_SYSCALL macro, TAMPER_SYSCALL will spoof the invoked syscall's first four arguments with NULL values. Then it'll call the NtQuerySecurityObject syscall, triggering the breakpoint installed earlier.

  • We handle the raised exception by replacing the SSN of the decoy syscall (NtQuerySecurityObject) with the real invoked syscall (e.g. ZwAllocateVirtualMemory's SSN). Then we replace the spoofed arguments with the real ones. These steps are executed in the ExceptionHandlerCallbackRoutine VEH function.

Ghostly Hollowing

  1. Fetch the PE payload: The implementation fetches the PE payload (mimikatz.exe) from the disk. In an ideal situation, you should encrypt the payload and store it in the resource section.

  2. Create an empty file on the disk: Create a temporary file (.tmp) in the $env:TMP directory. This file will later be overwritten with the PE payload.

  3. Create a ghost section from the temporary file: A ghost section is created by calling ZwCreateSection to create a section from the delete-pending .tmp file, closing the file handle, and deleting the file from the disk.

  4. Create a remote process: Using the CreateProcess WinAPI, we create a remote process and map the ghost section to it.

  5. Patch the ImageBaseAddress: Patch the ImageBaseAddress element of the PEB structure to point to the mapped ghost section, and execute the PE payload's entry point via thread hijacking.

Demo

DEMO1

DEMO2

Demo.mp4

Related Maldev Academy Modules

About

Implementing the ghostly hollowing PE injection technique using tampered syscalls.

License:MIT License

Languages

Language:C 100.0%